1

I can't upgrade to ubuntu 24.04 so far while it's launched since many weeks ago.

it starts fine. then it asks for enabling third part sources then it fails at (setting new software channels) second step

it shows me tab of error then it cancels whole process enter image description here

enter image description here

once I click ok on the error whole process gets canceled automatically

after trying to upgrade then failed I tried to reboot

this what it shows which I think it's the reason. the shim signature. I don't want to download ISO and do full format. I only want to upgrade enter image description here

eeesa
  • 123

2 Answers2

2

This is a common problem and will effect everybody dual booting into Linux. The reason is Microsoft is fiddling around with secure boot making it so that people booting into Linux will have problems. I was able to get around it by following a couple posts of people having the same problem. Here is the writeup I wrote on reddit about how to resolve this problem located here.

https://old.reddit.com/r/linuxquestions/comments/1euuha4/please_help_error_message_verifying_shim_sbat/

Ok the same thing just happened to me on a Dell Inspiron 17 3793 dual booting into Windows 10 and Ubuntu Mate, which is Ubuntu version 24.04. I booted into Windows 10 and it installed some updates. Everything seemed to be working but after a couple reboots I got the

"Verifying shim SBAT data failed: Security policy violation Something went seriously wrong: SBAT self-test failed: Security Policy Violation"

Error message. Apparently Microsoft is setting up systems so that only certain bootloaders work. This effects everyone dual booting into Linux it appears. Ubuntu does work but you have to get the correct update via apt. I followed the instructions located here

https://discourse.ubuntu.com/t/sbat-self-check-failed-mitigating-the-impact-of-shim-15-7-revocation-on-the-ubuntu-boot-process-for-devices-running-windows/47378

Namely

  • Boot into your BIOS and disable secure boot, my bios key is f2 but sometimes they vary

NOTE: I was following a post on the Linux Mint forums which says to run this command

  • sudo mokutil --set-sbat-policy delete

https://forums.linuxmint.com/viewtopic.php?t=427297

The Ubuntu forums post does not say to run the mokutil command. However I ran the above command first, rebooted, and it worked for me. Now you have to fix SBAT so that you can re-enable secure boot.

  • Boot into Ubuntu and run

  • sudo apt update && sudo apt upgrade shim-signed

  • Reboot, then Boot into Ubuntu AGAIN with secure boot still disabled and it will automatically cause the shim to reset the SBAT.

  • Reboot into the BIOS again and re-enable secure boot

Those steps worked for me. Man scary moment there as my keyboard failed a couple days earlier, which is why I rebooted into Windows, then this. Apparently the keyboard issue is potentially a hardware problem with some Dell laptops after a while. Mine is around 5 years old now, time to upgrade I guess. In the meantime I just attached an old USB keyboard and it appears to be working.

user3408541
  • 141
0

Rather than disabling secure boot, another option is to boot a recent Ubuntu LiveUSB ISO (24.10 worked for me) and update the Shim binary to version 15.8 or later.

Instructions copied from https://askubuntu.com/a/1533802/879530

Check efibootmgr -v so see what your boot order is, and which EFI path is executed. For me, this was /boot/efi/EFI/ubuntu/shimx64.efi, but if your install is on a removable drive it might be /boot/efi/EFI/boot/bootx64.efi (if you are running systemd-boot or Debian or something else then look in /boot/efi/EFI/*).

You may have to mount your EFI/EFS partition, first find the appropriate partition of type FAT32, typically around 300MB to 500MB:

sudo fdisk -l

If you are using an NVMe drive, it will typically be /dev/nvme0n1p0, otherwise for SATA drives it might be /dev/sda1.

Then mount the EFI partition so that you can access it:

For NVMe drives:

sudo mount /dev/nvme0n1p0 /boot/efi

Or for SATA Drives:

sudo mount /dev/sda1 /boot/efi

To check the version of the installed Shim, run:

# strings /boot/efi/EFI/ubuntu/shimx64.efi | grep '$Version:'
$Version: 15.7 $

If the version is 15.7 (as above), then you must upgrade to 15.8. You can do this automatically by upgrading the shim with apt from the LiveUSB:

apt update
apt install --reinstall shim-signed

Then manually copy the newer shim over the old one:

# cp /boot/efi/EFI/ubuntu/shimx64.efi /boot/efi/EFI/ubuntu/shimx64.efi.old
# cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/ubuntu/shimx64.efi

Now check the Shim version:

# strings /boot/efi/EFI/ubuntu/shimx64.efi | grep '$Version:'
$Version: 15.8 $

If you mounted the EFI partition earlier, be sure to unmount it before rebooting:

sudo umount /boot/efi

Reboot and now the bad shim signature error should be gone.

Additional details

The SBAT list was updated by Microsoft on 20th August 2024 to block Shim version 15.7 because of the CVE-2023-40547 remote code execution vulnerability. The solution to this is to upgrade Shim to the latest version 15.8. Additional details or alternative solutions might be available in this thread: Verifying shim SBAT data failed: Security Policy Violation

akdev
  • 11